Skip to content

Posts from the ‘Compliance and Risk Management’ Category


Contract Management Procedures are Essential for Good Contracts and Monitoring Clients’ Duties and Responsibilities

Contract management, sometimes referred to as contract administration, refers to the processes and procedures that companies may implement in order to manage the negotiation, execution, performance, modification and termination of contracts with various parties including customers, vendors, distributors, contractors and employees.  While business people often dismiss contract preparation as “lawyer’s work” that has little or nothing to do with the important aspects of the working relationship between the contractual parties, contracting is actually one of the crucial activities in determining the success of any business arrangement.  While the essential steps in the contracting process will vary depending on the type and scope of the transaction, and the point at which counsel is brought into the discussions, contract formation and management typically involves most or all of the following:

  • Investigation of the business and legal background for the particular transaction and determination of the role that counsel is expected to play in the contracting process.
  • Identification of the contracts and related documents required to complete the transaction and establishment of a time and responsibility schedule for drafting, review, discussion, revision and completion of all of the required items.
  • Review and evaluation of the related contracts and existing obligations of the company that might be impacted by the specific contract currently under discussion.
  • Collection and review of information regarding the business and legal affairs of the other party to the proposed transaction.
  • Preparation of the initial draft of each of the required contracts and related documents or, in cases where the opposite party is responsible for drafting, review of the initial draft of such items prepared by the opposite party.
  • Discussion of necessary changes in the initial drafts, negotiation of the same and preparation of the final drafts of the contracts and related documents for signature.
  • Preparation for, and completion of, the closing of the transaction at which time all contracts and related documents are executed and exchanged and any required performance at the closing (e.g., cash payments) is completed.
  • Ongoing review of the performance of each of the parties under the terms of the contract, at least in those cases where the contract is long-term and calls for continuous performance over an extended period of time.

The timing and sequence of these steps may be impacted by other conditions unique to the transaction.  For example, while the parties may quickly reach agreement on the content of the contracts, the actual closing may be deferred pending receipt of approvals from governmental officials or completion and delivery of various reports and opinions from third parties.

This month’s supplement to Business Transactions Solution on WESTLAW includes a new chapter on Contract Management (§§ 227:1 et seq.) that covers the creation and use of procedures relating to negotiation, formation and management of effective and enforceable contracts.  The chapter describes the essential steps in the contracting process; investigation of business and legal issues; defining the role of counsel in the contracting process; and establishment and administration of a contract review and signature authority policy.  The specialty forms library includes various forms for use in creating and administering a corporate contracting program including policies and procedures for negotiating and entering into contracts or leases, a contract review summary, procedures for review and approval of proposed contracts, a memorandum to officers, managers, and employees regarding contract review and approval procedures; and a memorandum from the general counsel to members of the corporate legal department regarding guidelines to be followed for effective contract management. The chapter also includes a contract formation and administration checklist, client executive summaries regarding contract management and basic procedures for contract review and approval, a slide deck presentation on contract management to be used for law firm and department training purposes and a memorandum on steps that attorneys can take to develop their own library of forms in order to be a more efficient contract drafter. For issues relating to drafting of particular types of contracts, reference should be made to the materials for the specific transaction in which such contracts are commonly used. Related information is included in Contract Formation and Performance (§§ 100:1 et seq.), Compliance Programs (§§ 223:1 et seq.) and Records Retention (§§ 228:1 et seq.).


Developing a Privacy and Data Security Compliance Program


Developing a privacy and data security compliance program requires a substantial investment of professional and managerial time and financial resources to acquire, install and operate the necessary technological systems that serve as the foundation for collecting, using, transferring and discarding nonpublic personal information. It is common to refer to privacy and data security as a top-level corporate governance issue that involves the board of directors and senior management and as companies grow they are likely to recruit and appoint experienced professional to serve as chief privacy officers with their own dedicated personnel and budget to oversee the element of the compliance program. While there is no single template for the privacy and data security compliance program it is important to address the following:

  • Defining and identifying nonpublic personal information handled by the company and documenting how the information flows into, within and outside the organizational structure of the company;
  • Establishing managerial responsibility and control over the compliance program and allocating sufficient cash and other resources to the program;
  • Establishing and enforcing all necessary policies and procedures with regard to privacy and data security;
  • Establishing focused programs to deal with specific privacy-related risks such as online collection of information and collection and use of information during the course of customer relationships;
  • Establishing programs for educating all company employees and business partners about privacy- and data security-related requirements, including continuing education of new developments and threats for executives and managers directly responsible for the compliance program;
  • Understanding and monitoring all applicable privacy- and security-related laws and regulations including emerging trends that may change the regulatory landscape in the foreseeable future;
  • Establishing and administering procedures for oversight of vendors with access to nonpublic personal information for which the company is ultimately responsible;
  • Establishing procedures for data retention and destruction;
  • Establishing and administering privacy incident response and breach notification procedures;
  • Establishing and enforcing disciplinary policies with respect to failure of employees and business partners to comply with the privacy- and data security-related policies and procedures of the company;
  • Communicating the company’s privacy- and data security-related practices to relevant stakeholders including employees, customers, business partners, financial markets and regulators; and
  • Providing regular reports on the efficacy of the program to the board of directors and members of the senior management group.

Responsibility for administering the privacy program should be vested in a single person, generally referred to as the chief privacy officer, who will be given authority to establish privacy policies and procedures and oversee personnel in each department of the company who will be responsible for privacy-related issues in their functional area. The importance of have an executive-level position responsible for managing the risks and business impacts of privacy laws and policies is reinforced by the fact that most of the Fortune 100 companies now have a chief privacy officer or an equivalent position. The chief privacy officer, with the support of the chief executive officer and other members of the senior management group, should be prepared to implement privacy policies and practices for the entire company and coordinate the compliance activities of disparate departments such as marketing, communications, customer service, information technology, human resources and legal. The privacy officer and his/her staff should begin by making an assessment of the nonpublic personal information that the company collects and how it is used and otherwise handled by the company. Once policies and procedures are in place the privacy officer should conduct privacy impact assessments and audits of the handling of nonpublic personal information and should create training and educational programs for employees and company agents. Various resources are available for developing a privacy program including the materials that are readily available from privacy seal organizations and from privacy advocacy groups.

Achieving adequate data security and privacy protections for customers, employees and other parties requires a strategy and like any other strategy it is important to identify relevant metrics that can be used to assess performance.  Unfortunately, there is no single strategy that will be entirely successful in each instance and even companies that have thoughtfully developed and implemented data protection regimes can suffer security breaches.  When creating a data protection program companies should be mindful of the stories they might need to tell if and when problems occur and this means being able to demonstrate that the program was based on recognized industry standards and applicable regulatory guidelines.  In addition, companies should have a record of their consultation processes that includes the names and backgrounds of the technical and legal specialists that were involved.  Companies should also be able to explain how their data security framework work and when and how decisions were made among various alternative solutions.  For example, companies typically have a limited budget for their data security programs and the record should describe how and why dollars were invested in addressing particular risks.  While all this information cannot eliminate potential liability for security breaches it can help mitigate potential penalties and punitive damage awards.

Chapter 230 of Business Transactions Solution (§§230:1 et seq.) on WESTLAW covers the development and administration of policies and procedures to comply with laws, regulations and industry standards relating to privacy, data security and overall collection and use of nonpublic personal information. The materials include a large library of illustrative policies and related practice tools such as checklists for developing a privacy and data security compliance program (BTS §230:130), negotiating information security issues in outsourcing contracts (BTS §230:131) and privacy and data security issues in acquisition transactions (BTS §230:132).  The chapter also includes valuable communications vehicles for clients including client executive summaries regarding privacy and data security laws (BTS §230:133), security requirements for nonpublic personal information (BTS §230:134) and implementation and management of privacy programs (BTS §230:135).



Role of the Board in Developing and Overseeing Compliance Programs


When companies run afoul of laws and regulations the publicity can be intense and the adverse reputational and financial consequences to the company are generally quite significant.  The post-mortem brings the board of directors to “center stage” and judges, regulators, investors and pundits in the financial press will all be asking whether the directors were paying attention, asking the right questions, adopting and enforcing appropriate policies and procedures, and making it clear that “compliance matters” when setting goals and allocating rewards.  Simply put, while directors are not expected to fend off every act of misconduct by executives, employees and agents of their companies, they are responsible for effectively discharging their own duties and responsibilities relating to compliance and ethics programs.

The core elements of directors’ compliance-related duties and responsibilities come from several sources:

  • The Federal Sentencing Guidelines for Organizations require that the governing authority of the organization (e.g., the board of directors of a corporation) be knowledgeable about the content and operation of the compliance and ethics program; exercise reasonable oversight with respect to the implementation and effectiveness of the program; exercise due diligence to prevent and detect criminal conduct, and promote an organizational culture which encourages compliance with the law.
  • Courts have recognized that directors have a fiduciary obligation to make a good faith effort to assure that an adequate compliance program exists and to take affirmative steps to ensure that appropriate information regarding compliance with applicable laws reaches the board in a regular and timely manner.
  • The listing requirements of the major securities exchanges include compliance-related elements such as mandating implementation of reporting procedures, adoption of codes of conduct and business ethics and independence of board and audit committee members.
  • Regulators focusing on a range of industries have articulated their preferences regarding the role of the board of directors in compliance activities by conditioning settlement agreements on undertakings by the company that its board will retain independent individuals or entities with compliance expertise and regulatory guidelines consistently mention that directors must be knowledgeable about, and involved with, the compliance programs of their companies.

While attention to compliance problems is generally most intense for larger publicly-owned companies, directors of firms of all sizes, including privately-owned companies, should consider “compliance” to be a significant part of their jobs.  All directors have a fiduciary duty to their corporations and to the stockholders who are actual owners of the corporation and that duty will almost certainly be breached if directors fail to act with care in developing and implementing compliance and ethics programs and as a result the corporation and/or its agents are found to be culpable of misconduct and/or unlawful activity.  In order to be sure that the board and its members understand their role in developing and overseeing an effective compliance and ethics program the following questions should be carefully considered:

  • Is each prospective member of the board advised prior to appointment that he or she will be expected to achieve and maintain an adequate level of knowledge and skills relating to their duties with respect to overseeing the company’s compliance and ethics program and is prior compliance experience a factor in vetting new board members?
  • Has each new member of the board completed an orientation program that includes information on the sources of a director’s duties and obligations with respect to oversight of the company’s compliance and ethics program and illustrative case studies of how courts and regulators have interpreted and enforced such duties and obligations?
  • Are the members of the board sufficiently knowledgeable about the operations and structure of the company to understand internal reporting procedures and lines of authority and identify the activities that present the highest level of compliance risk?
  • Are the members of the board sufficiently knowledgeable about the legal environment for the company’s specific business activities so that they can readily understand the statutes and regulatory guidelines that are most relevant to decisions about how to design the compliance and ethics program?
  • Has the board ensured the compliance and ethics program is appropriate for the specific activities of the company by undertaking a detailed risk assessment that identifies and ranks risk areas and issues that have raised compliance problems in the past and must be specifically addressed in the program?
  • Has the board conducted a “cost-benefit” analysis regarding the scope of the company’s compliance and ethics program to ensure that the company’s limited resources for compliance infrastructure have been efficiently allocated to the areas that present the most significant potential risks and liabilities for the company?
  • Has the board fulfilled its overriding obligation to be knowledgeable about the content and operation of the company’s compliance and ethics program by overseeing the development of the program and formally reviewing and approving the overall program and specific policies and procedures within the program (e.g., code of conduct, policies regarding conflicts of interest, “hot line” or other policies for reporting misconduct and policies that address the company’s highest risk areas such as employment laws, antitrust laws and/or products liability laws) before implementation?
  • Has the board formally approved the creation of an independent team with compliance expertise within the company’s organizational structure that includes (1) a chief compliance officer (“CCO”) who reports directly to the board (or audit or compliance committee of the board), (2) a compliance department overseen by the CCO, (3) a corporate compliance committee (“CCC”) with members from all the company’s functional departments charged with implementing compliance policies and procedures, and (4) an internal controls/security department charged with implementing internal controls and detecting and reporting actual misconduct and suspicious activities?
  • Has the board formally given the CCO and the compliance department the authority to audit the activities of the company’s legal department and provide direct guidance and assistance to members of the board regarding fulfillment of their oversight responsibilities relating to compliance activities?
  • Has the board formally reviewed and approved the charter of the CCC to ensure that it addresses key activities such as the development and implementation of codes of conduct and other compliance policies and procedures, development and administration of compliance and ethics training programs, risk assessments, annual audits of compliance and internal controls programs and remedial actions and employee discipline in the case of compliance issues or other misconduct?
  • Does the board (or the audit or compliance committee of the board) receive regular reports from the CCO regarding the involvement of managerial leaders from other departments (e.g., human resources, legal, finance, business development etc.) in the activities of the CCC and the actions they have taken to implement relevant aspects of the compliance and ethics program within their departments?
  • Has the board required that the CCO develop objective performance metrics for the compliance and ethics program that have been formally approved by the board and set aside time at each meeting of the board (or audit or compliance committee of the board) to receive reports on the operations of the compliance department and progress toward satisfying the program’s goals and objectives and ask compliance-related questions of the CCO and members of the senior management team?
  • Has the board allocated sufficient human, financial and technological resources to the compliance and ethics program (including funding for the CCC and retention of outside advisors (e.g., lawyers, accountants and consultants)) and invested the board’s own time in continuously considering compliance-related issues?
  • Has the board provided for the “express authority” and “direct reporting obligation” for those persons with day-to-day responsibility for compliance activities (e.g., the CCO) to have direct access to members of the board and/or the committee of the board to which compliance matters have been delegated (i.e., audit or compliance committee) without having to report to the CEO, other members of the senior management team or the legal department?
  • Has the board acted in a manner that sets the appropriate “tone at the top” with respect to promotion of an organizational culture of ethical conduct throughout the company and encouraging compliance through the use of appropriate incentives and disciplinary measures and proactive involvement in the development and approval of the compliance and ethics program in the manner described above?
  • Has the board properly aligned the incentives for members of the management team and employees by ensuring that the company’s performance evaluation and incentive compensation processes take into account not only traditional financial metrics but also compliance and ethics-related objectives such as product/services quality, safety and customer satisfaction?
  • Have all of the members of the board, as well as officers and employees of the company, completed adequate training to ensure that they are aware of the content and purposes of the company’s compliance and ethics program and how issues are identified and remediated?
  • Has the board provided for continuous training of board members and senior management on the impact of changes in the legal and regulatory environment of the company that will impact the company’s compliance requirements?
  • Have all of the members of the board been provided with suggestions on how they can educate themselves about how to carry out their compliance oversight activities such as by accessing information, guidelines and educational programs available through government websites (e.g., Office of Inspector General)?
  • Does the board oversee regular reviews of the compliance and ethics program, no less than annually, to determine if changes are necessary in light of objective metrics of the efficacy of the procedures included in the program and changes in applicable laws and regulatory enforcement initiatives?
  • Does the board oversee regular reviews of the company’s internal controls and risk management policies and procedures, no less than annually?
  • Does the board ensure that reports or findings of compliance problems or other acts of misconduct are promptly reviewed and that responses are made in a timely fashion?

While several of the questions posed above strongly imply that managerial responsibility for compliance issues be vested in a CCO, as opposed to the general counsel, it is obvious that the development and implementation of an effective compliance and ethics programs should be driven by the legal team supporting the company, both in-house attorneys and outside law firms.  Your role as an attorney relative to “compliance” will vary depending on where and how you practice law.  All attorneys wishing to provide value to their clients in the compliance area should be familiar with the questions above and why each of them is important.  This will allow them to converse openly and knowledgeably with directors and members of the senior management team.  All attorneys should also be aware of the basic elements of a comprehensive compliance program: surveying the legal environment; compliance audits and risk assessments; “buy in” from the board of directors; written compliance materials; organizational culture; education and training; program monitoring and implementation; program audits; internal investigations and document retention programs.  Beyond that, a specific attorney might find that the following fits his or her particular situation in the compliance arena:

  • You are the general counsel of a large organization that is involved in a range of business activities that expose it to multiple areas of law and regulation. You may even be the actual or de facto “chief compliance officer” of the organization.  In this position you need to have a thorough understanding of the essential elements of any compliance program and you need to recruit and oversee qualified and experienced subject matter experts in various legal areas who can develop and administer focused compliance programs and provide support to the organization’s non-legal compliance infrastructure.
  • You are the senior partner acting as outside general counsel to an organization. Your role should be to act as the principal advisor to the directors of the organization with respect to educating them on their compliance duties and obligations, a task that can be eased by going through the questions above.  You should be prepared to guide the organization through the preliminary steps on the road to creating a compliance infrastructure and make available subject matter experts from your firm to assist in developing and implementing compliance programs in key areas such as employment, antitrust, intellectual property and products liability law.
  • You are a senior attorney providing substantive advice on issues in a particular area of law (e.g., an employment law expert who regularly answers questions from clients on their current human resources problems such as a claim of harassment or discrimination or handling a sticky termination scenario). While helping your clients “put out fires” is certainly valued, you can also help them become more efficient users of legal services and avoid potentially costly problems by building the expertise necessary to assist clients in developing compliance programs and related tools.
  • You are the head of a one person law department. Your role with respect to counseling the directors and members of the senior management team is essentially the same as your counterpart at the large organization discussed above; however, your world is likely quite different because you do not have the luxury of hiring additional in-house lawyers to provide compliance program support.  In this situation you need to understand the basic elements of compliance programs and select experts from outside law firms to assist in developing a customized compliance program in a cost-efficient manner.  Your own skills and understanding of compliance programs will help you strike the right balance and manage the costs of relying on an outside law firm.
  • You are a solo practitioner with an active portfolio of business clients. Again, the questions above can provide you a starting point for the “compliance discussion” with those clients; however, you won’t be able to offer support from other attorneys in your firm and you will need to develop a network of subject matter experts that you can call upon to provide assistance for your clients.  Fortunately, there are many small boutique firms that specialize in one area and can be relied upon to provide compliance-related support.  You’ll need to know the essential elements of compliance programs and be able to interview attorneys from these firms to ascertain whether or not they can provide the support that your clients will need.
  • You are a new associate or law department attorney. You didn’t take “compliance” in law school and it wasn’t something that was covered in bar exam review courses.  In fact, compliance may not be well understood by your supervisors at the law firm or in the law department.  Nonetheless, you can and should study the questions above and make “compliance” part of your own skill set.  Ask your supervisor about compliance and seek out opportunities to help with developing compliance programs.  Work on drafts of compliance policies and management briefings for clients.  Better yet, volunteer to help with training programs.  It’s the best way to learn the basic requirements in a particular area and practice explaining them to clients.

Law firms, bar associations and law schools tend to organize around substantive areas of law—business organizations, antitrust, contracts, real property, labor law.  As such, key skills that cut across areas of law, such as deal making and compliance counseling, often get lost.  It is true that “compliance” cannot stand alone without reference to particular laws and regulations; however, effective compliance counseling is invaluable to clients and can only be done when the business counselor understands the principles and ideas discussed above.

Chapter 223 (§§ 223:1 et seq.) of Business Transaction Solutions on WESTLAW provides business counselors with the guidance and tools needed to provide value to their client during the process of designing, implementing and maintaining effective compliance programs.  Recently added practice tools include a checklist of legal areas and business activities to be covered by compliance program (§223:108); a checklist of the elements of an effective compliance program (§223:109); a questionnaire for analyzing and assessing compliance procedures and attitudes (§223:110); an executive summary for clients regarding compliance programs (§223:111) and a Slide Deck presentation on Compliance Programs that can be used for law firm and department training purposes (§223:112).



Risk Management–A Corporate Imperative for the Executive Team

All companies, regardless of their size and the industries in which they operate, are facing greater challenges with respect to identifying and managing the environmental risks that are related to their day-to-day activities.  It is becoming routine practice for larger companies to create a corporate risk manager position and to have that position report directly to the CEO.  Surveys indicate that risk management will continue to be a major concern for corporate executives in the years to come and the areas that are of most concern seem to fall into the following categories:

  • Corporate governance issues, including the impact of the federal Sarbanes-Oxley Act and the growing interest and active intervention in corporate governance among specific states in the US and in foreign countries.  In addition to the costs of actual liability for violation of corporate governance laws and regulations, companies are being forced to invest substantial amounts in compliance programs in order to satisfy the requirements of financial exchanges and business partners who themselves are heavily regulated.
  • Natural disasters (e.g., hurricanes, flooding and earthquakes) in the US and in foreign countries where companies have substantial assets and/or are engaged in a high volume of business activities.
  • Higher levels of litigation that can result not only in liability for claims made against a company but also in substantial additional expenses to defend against the lawsuits even if the company is ultimately found not to be liable.  Companies are being sued for all sorts of potential claims ranging from products liability to mismanagement of employee benefit plans and the number of active lawsuits that larger companies may be defending at any point in time generally runs into the hundreds.
  • Physical infrastructure and facilities risks, including the rising costs of maintaining aging facilities and the potential damage to products, property and humans that may occur as the company operates over public roads and railways.
  • Governmental regulation, apart from the corporate governance issues referred to above, that carries higher costs of compliance which will ultimately cause companies to raise the prices of their products and services and risk loss of market share to competitors.

The list above is by no means all inclusive and companies must also anticipate the possibility of terrorist attacks, unforeseen changes in customer requirements and the entry of new competitors or introduction of new technologies.  In addition, as companies do more and more business outside of the US they are exposed to local risks in each foreign country where they are operating including a unique set of laws and regulations and the possibility that changes in the political environment will have a negative impact on foreign companies.  Finally, while new communications technologies have revolutionized the way that business is conducted they also create new potential hazards—the risk that a business can be shutdown by natural disasters that disable the communications infrastructure and potential liability for theft of personal information that has been entrusted to companies for safekeeping.

Fortunately the increase in risk has been accompanied by the development of new tools to manage those risks.  Even small companies can establish systems to collect and analyze information regarding potential events that may result in losses and insurance companies are working with their customers on enterprise risk management (“ERM”).  In fact, a number of providers offer in-person and online courses on various aspects of ERM and companies should seriously consider having all of their top managers participate on a regular basis.  Viewed properly, risk management is part of the company’s overall strategic business planning effort to reduce and manage uncertainties in the environment in which the company operates.


Risk Management—An Imperative for Founders and Senior Managers

All companies, regardless of their size and the industries in which they operate, are facing greater challenges with respect to identifying and managing the internal and environmental risks that are related to their day-to-day activities.  While larger companies are particularly focused on the risks associated with corporate governance issues, founders and executives everywhere should be concerned about the potential adverse impact of natural disasters, litigation or government investigations, physical infrastructure and facilities risks, terrorist attacks, unforeseen changes in customer requirements, the entry of new competitors or introduction of new technologies, credit and market risks, breakdowns in internal controls, and security breaches that can lead to financial losses and reputational damage.  All this means that companies must integrate risk management into their overall strategic business planning effort to reduce and manage uncertainties in the environment in which they operate.  In order to do this, companies must embrace risk assessment processes that allow them to benchmark, or compare, the risk areas and compliance activities of their company against firms of similar size engaged in comparable operational and business activities.  The output of these processes then becomes the basis for designing effective compliance programs and setting operational priorities for everyone in the workplace.

The International Center for Growth-Oriented Entrepreneurship has just released a chapter from its Library of Compliance Resources on Conducting Risk Assessments which is available for free downloading and sharing by clicking here.  Some important things you need to know about the risk management and risk assessments including the following:

1.         The risks that are the greatest concerns for corporate executives include corporate governance issues, which not only expose companies to the costs of actual liability for violation of corporate governance laws and regulations but also force them to invest substantial amounts in compliance programs; natural disasters (e.g., hurricanes, flooding and earthquakes) in countries where companies have substantial assets and/or are engaged in a high volume of business activities; higher levels of litigation that can result not only in liability for claims made against a company but also in substantial additional expenses to defend against the lawsuits even if the company is ultimately found not to be liable; physical infrastructure and facilities risks, including the rising costs of maintaining aging facilities and the potential damage to products, property and humans that may occur as the company operates over public roads and railways; governmental regulation that carries higher costs of compliance which will ultimately cause companies to raise the prices of their products and services and risk loss of market share to competitors; terrorist attacks, unforeseen changes in customer requirements and the entry of new competitors or introduction of new technologies; and cyber-attacks that disable a company’s communications infrastructure and expose companies to potential liability for theft of personal information that has been entrusted to them for safekeeping.

2.         Management should be prepared to increase the company’s control mechanisms whenever there are changes in the organization’s regulatory or operating environment; changes in personnel; new or revamped information systems; rapid growth of the organization; changes in technology affecting production processes or information systems; new business models, products or activities; corporate restructurings; expansion or acquisition of foreign operations; and/or adoption of new accounting principles or changing accounting principles.

3.         Risk assessment is primarily concerned with what are generally referred to as operational risks (also sometimes called transaction risks), which are risks of loss or injury to the company from inadequacies or failures relating to processes, systems or people (e.g., fraud or error).  Operational risks can arise from internal and external factors and can be found in every major business activity of the company.  Operational risks may be broken down into various categories such as credit and market risks, reputation risks, strategic risks and compliance risks.  Credit and market risks include an unforeseen adverse decline in the liquidity of a key customer that must be addressed by changes in underwriting policies and collection systems to avoid significant losses and higher costs of servicing that customer.  Reputation risks include the possibility of security breaches that result in the loss of confidential information and the loss of confidence of customers and other business partners.  Strategic risk increases when the company fails to invest in the resources necessary for collection and analysis of all of the information needed to make proper and informed decision about major new investments.  Compliance risks include failure to comply with legal and regulatory requirements applicable to the company’s products and services which leave to civil and/or criminal penalties.

4.         The activities associated with an effective risk assessment process include identifying the risks that are most relevant to the company and developing a short description of the key characteristics of each risk so that it can be analyzed and strategies created for mitigating or eliminating them; defining the company’s “risk appetite” to determine which types of identified risks are most problematic for the company and thus are appropriate targets for mitigation activities; risk mitigation, which involves developing compliance programs and internal controls designed to reduce risks to levels consistent with the company’s risk appetite; and establishing benchmarks for measuring the effectiveness of the company’s risk mitigation efforts and procedures for continuous risk assessment to identify and manage new risks that may arise as the activities of the company and its external environment changes.  The scope of the process, and required investment, depend on the size of the company and its stage of development and available resources, and companies must decide on the level of sophistication of risk management procedures, how much of the process should be outsourced and the appropriate internal management structure for the risk management activities.

5.         Recognized general guidelines for conducting effective risk assessments include covering all major areas of potential misconduct; examining risk in the context of the company’s resources; using industry information and company history; including managers and employees from all organizational levels; analyzing both the impact and likelihood of the occurrence of a risk; quantifying each risk area; documenting the outcome of the risk assessment process; conducting the risk assessment in a defensibly objective manner and on a regular basis; and benchmarking the company’s compliance programs.


Antitrust Compliance Programs

It is essential for companies of all sizes to develop some sort of formal program and procedures relating to antitrust law compliance.  This report describes the benefits of establishing such a program and provides you with a useful checklist of the issues that you will need to consider during the course of day-to-day activities.


Trade Secret Protection Programs

For many companies, state trade secret protection laws have become a preferred form of intellectual property protection, even in cases where the subject matter (i.e., inventions) might otherwise be eligible for patent protection.  In order to achieve and maintain the maximum value from their trade secrets companies must establish a trade secret program.  In this report I discuss some of the basic elements of such a program and provide an example of a corporate statement on the subject that can be used as a guideline for establishing procedures and training purposes.


DOJ Policies on Corporate Compliance Programs

Either as a matter of internal policy or in response to specific requirements included in legislative actions, many government agencies have issued rules and guidelines relating to corporate compliance programs.  This report provides an overview of the latest influential statement of policy issued by the Department of Justice regarding the factors that federal prosecutors should consider in deciding whether to pursue criminal charges against a corporate target.  Among other things, the policy–referred to as the Filip Memorandum–discusses how prosecutors should evaluate the effectiveness of a compliance program.


Records Retention Policies and Procedures

Risk management is an important topic these days for all businesses and founders and executives need to understand the contractual relationships of their firms and be able to access all necessary records quickly and efficiently.  In order to be sure this can be done companies must create and maintain records retention policies and procedures.


Extending Compliance Programs to Suppliers II

I’ve been discussing the need for companies to extend their compliance program obligations to their suppliers. One basic step that should always be taken is to include standard language in every contract with an outside party that creates a contractual duty on that party to comply with all applicable laws and regulations and spells out specific areas of concern (e.g., the Foreign Corrupt Practices Act in the case of foreign parties dealing with local government officials).  Beyond that, however, companies are beginning to create their own standards for supplier activity and integrating those into how they create and manage their supplier relationships.  For example, a company may promulgate a social and environmental responsibility policy for its suppliers.  This policy becomes a public statement of the values and business practices that the company seeks in its supplier group and a de facto checklist for the due diligence that company personnel are expected to do before entering into a relationship with a new supplier.  The requirements and expectations in such a policy can then be made a part of the formal contractual arrangement between the parties through the use of a supplier social and environmental responsibility agreement.

Company policies regarding social and environmental responsibility are often derived from industry-wide efforts to develop, and build a consensus for, standards for socially responsible business practices that would apply to all participants in a supply chain regardless of their size or where they are located.  An example of such an approach is the Electronic Industry Code of Conduct released in October 2004 following collaboration by some of the major manufacturers in the electronics industry.  This Code of Conduct becomes the basis for company-specific policies that include standards for labor, health and safety, environmental matters, and business ethics.  In addition, companies electing to comply with the Code of Conduct would be expected to establish and maintain an acceptable system of internal controls and procedures to ensure that they carry out their business activities in a manner that meets or exceeds the specific standards in each area.

While imposing compliance standards on partners in the supply chain seems to make a lot of sense, and may have actually become a mandate to fulfill specific legal obligations, a word of caution is in order for those companies adopting such an approach.  One obvious potential problem, especially with suppliers in remote foreign countries, is making sure that adequate resources are invested in actual monitor of supplier activities and enforcement of the standards set forth in policies and supplier agreements.  One of the reasons for including third parties within a compliance umbrella is the ability to represent to regulators, customers and investors that the company is indeed a good “corporate citizen” and deals only in goods and services that have been produced in accordance with the highest legal and ethical standards.  If it turns out that their vendors fail to follow those standards the company runs the risk that its own reputation will be tarnished, particularly if it can argued that the company did not adequately monitor a vendor’s activities.  It is important therefore for companies to use their contractual audit rights and take other reasonable steps to monitor their suppliers including regular visits to supplier facilities to observe the effectiveness of the supplier’s efforts to adhere to labor and environmental standards.  In fact, failure to do so might even be perceived as a breach of an unexpected duty to a third party such as a customer injured by products provided by the supplier or even employees of the supplier.  Potential problems of this type should be managed by including language in policies or supplier agreements that expressly deny that anything therein is intended to create duties to and rights in favor of third parties.

The content in this post has been adapted from material that will appear in Business Transactions Solutions (Fall 2008) and is presented with permission of Thomson/West.  Copyright 2008 Thomson/West.  For more information or to order call 1-800-762-5272.